Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire.
According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38, CageyChameleon, CryptoCore, Genie Spider, Nickel Gladstone, Sapphire Sleet (formerly Copernicium), and Stardust Chollima.
Victims of the GhostCall campaign span several infected macOS hosts located in Japan, Italy, France, Singapore, Turkey, Spain, Sweden, India, and Hong Kong, whereas Japan and Australia have been identified as the major hunting grounds for the GhostHire campaign.
“GhostCall heavily targets the macOS devices of executives at tech companies and in the venture capital sector by directly approaching targets via platforms like Telegram, and inviting potential victims to investment-related meetings linked to Zoom-like phishing websites,” Kaspersky said.
“The victim would join a fake call with genuine recordings of this threat’s other actual victims rather than deepfakes. The call proceeds smoothly to then encourages the user to update the Zoom client with a script. Eventually, the script downloads ZIP files that result in infection chains deployed on an infected host.”
On the other hand, GhostHire involves approaching prospective targets, such as Web3 developers, on Telegram and luring them into downloading and executing a booby-trapped GitHub repository under the pretext of completing a skill assessment within 30 minutes of sharing the link, so as to ensure a higher success rate of infection.
Once installed, the project is designed to download a malicious payload onto the developer’s system based on the operating system used. The Russian cybersecurity company said it has been keeping tabs on the two campaigns since April 2025, although it’s assessed that GhostCall has been active since mid-2023, likely following the RustBucket campaign.
RustBucket marked the adversarial collective’s major pivot to targeting macOS systems, following which other campaigns have leveraged malware families like KANDYKORN, ObjCShellz, and TodoSwift.
It’s worth noting that various aspects of the activity have been documented extensively over the past year by multiple security vendors, including Microsoft, Huntress, Field Effect, Huntabil.IT, Validin, and SentinelOne.
The GhostCall Campaign
Targets who land on the fake Zoom pages as part of the GhostCall campaign are initially served a bogus page that gives the illusion of a live call, only to display an error message three to five seconds later, urging them to download a Zoom software development kit (SDK) to address a purported issue with continuing the call.
Should the victims fall for the trap and attempt to update the SDK by clicking on the “Update Now” option, it leads to the download of a malicious AppleScript file onto their system. In the event the victim is using a Windows machine, the attack leverages the ClickFix technique to copy and run a PowerShell command.
At each stage, every interaction with the fake site is recorded and beaconed to the attackers to track the victim’s actions. As recently as last month, the threat actor has been observed transitioning from Zoom to Microsoft Teams, using the same tactic of tricking users into downloading a TeamsFx SDK this time to trigger the infection chain.
Regardless of the lure used, the AppleScript is designed to install a phony application disguised as Zoom or Microsoft Teams. It also downloads another AppleScript dubbed DownTroy that checks stored passwords associated with password management applications and installs additional malware with root privileges.
DownTroy, for its part, is engineered to drop several payloads as part of eight distinct attack chains, while also bypassing Apple’s Transparency, Consent, and Control (TCC) framework –
- ZoomClutch or TeamsClutch, which uses a Swift-based implant that masquerades as Zoom or Teams while harboring functionality to prompt the user to enter their system password in order to complete the app update and exfiltrate the details to an external server
- DownTroy v1, which uses a Go-based dropper to launch the AppleScript-based DownTroy malware that’s then responsible for downloading additional scripts from the server until the machine is rebooted.
- CosmicDoor, which uses a C++ binary loader called GillyInjector (aka InjectWithDyld) to run a benign Mach-O app and inject a malicious payload into it at runtime. When it’s run with the –d flag, GillyInjector activates its destructive capabilities and irrevocably wipes all files in the current directory. The injected payload is a backdoor written in Nim named CosmicDoor that can communicate with an external server to receive and execute commands. It’s believed that the attackers first developed a Go version of CosmicDoor for Windows, before moving to Rust, Python, and Nim variants. It also downloads a bash script stealer suite named SilentSiphon.
- RooTroy, which uses Nimcore loader to launch GillyInjector, which then injects a Go backdoor called RooTroy (aka Root Troy V4) to collect device information, enumerate running processes, read payload from a specific file, and download additional malware (counting RealTimeTroy) and execute them.
- RealTimeTroy, which uses Nimcore loader to launch GillyInjector, which then injects a Go backdoor called RealTimeTroy that communicates with an external server using the WSS protocol to read/write files, get directory and process information, upload/download files, terminate a specified process, and get device information.
- SneakMain, which uses Nimcore loader to launch a Nim payload called SneakMain to receive and execute additional AppleScript commands received from an external server.
- DownTroy v2, which uses a dropper named CoreKitAgent to launch Nimcore loader, which then launches AppleScript-based DownTroy (aka NimDoor) to download an additional malicious script from an external server.
- SysPhon, which uses a lightweight version of RustBucket named SysPhon and SUGARLOADER, a known loader previously to have delivered the KANDYKORN malware. SysPhon, also employed in the Hidden Risk campaign, is a downloader written in C++ that can conduct reconnaissance and fetch a binary payload from an external server.
SilentSiphon is equipped to harvest data from Apple Notes, Telegram, web browser extensions, as well as credentials from browsers and password managers, and secrets stored in configuration files related to a long list of services: GitHub, GitLab, Bitbucket, npm, Yarn, Python pip, RubyGems, Rust cargo, NET Nuget, AWS, Google Cloud, Microsoft Azure, Oracle Cloud, Akamai Linode, DigitalOcean API, Vercel, Cloudflare, Netlify, Stripe, Firebase, Twilio, CircleCI, Pulumi, HashiCorp, SSH, FTP, Sui Blockchain, Solana, NEAR Blockchain, Aptos Blockchain, Algorand, Docker, Kubernetes, and OpenAI.
“While the video feeds for fake calls were recorded via the fabricated Zoom phishing pages the actor created, the profile images of meeting participants appear to have been sourced from job platforms or social media platforms such as LinkedIn, Crunchbase, or X,” Kaspersky said. “Interestingly, some of these images were enhanced with [OpenAI] GPT-4o.”
The GhostHire Campaign
The GhostHire campaign, the Russian cybersecurity company added, also dates back to mid-2023, with the attackers initiating contact with the targets directly on Telegram, sharing details of a job offer along with a link to a LinkedIn profile impersonating recruiters at financial companies based in the U.S. in an attempt to lend the conversations a veneer of legitimacy.
“Following up on initial communication, the actor adds the target to a user list for a Telegram bot, which displays the impersonated company’s logo and falsely claims to streamline technical assessments for candidates,” Kaspersky explained.
“The bot then sends the victim an archive file (ZIP) containing a coding assessment project, along with a strict deadline (often around 30 minutes) to pressure the target into quickly completing the task. This urgency increases the likelihood of the target executing the malicious content, leading to initial system compromise.”
The project in itself is innocuous, but incorporates a malicious dependency in the form of a malicious Go module hosted on GitHub (e.g., uniroute), causing the infection sequence to be triggered once the project is executed. This includes first determining the operating system of the victim’s computer and delivering an appropriate next-stage payload (i.e., DownTroy) programmed in PowerShell (Windows), bash script (Linux), or AppleScript (macOS).
Also deployed via DownTroy in the attacks targeting Windows are RooTroy, RealTimeTroy, a Go version of CosmicDoor, and Rust-based loader named Bof that’s used to decode and launch an encrypted shellcode payload stored in the “C:\Windows\system32\” folder.
“Our research indicates a sustained effort by the actor to develop malware targeting both Windows and macOS systems, orchestrated through a unified command-and-control infrastructure,” Kaspersky said. “The use of generative AI has significantly accelerated this process, enabling more efficient malware development with reduced operational overhead.”
“The actor’s targeting strategy has evolved beyond simple cryptocurrency and browser credential theft. Upon gaining access, they conduct comprehensive data acquisition across a range of assets, including infrastructure, collaboration tools, note-taking applications, development environments, and communication platforms (messengers).”
